CyberRota
← Ana sayfaya dön

CVE-2026-12154

MEDIUM · CVSS 6.4

Kaynak: NVD + CISA KEV + EPSS · Yayınlanma: 2026-07-06T18:16:36.670 · Çekilme zamanı: 2026-07-07T00:07:14.400249+00:00

CyberRota Yorumu

Detaylı analiz gerekiyor.

CVE
CVE-2026-12154
Severity
MEDIUM
CVSS
6.4
EPSS
Yok
WordPress

Orijinal NVD Açıklaması

The Reviews Widgets for Google, Yelp & TripAdvisor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'page_id' shortcode attribute of the [fbrev] shortcode in versions up to and including 2.7.3. This is due to insufficient input sanitization and output escaping in the Feed_Shortcode::fbrev() method, which passes the raw shortcode attribute through Feed_Old::get_feed() into the View::render() method, where it is echoed directly into the data-id HTML attribute without esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.